package jdbc;
/**
 * 使用预编译SQL防止SQL注入问题
 */
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.Scanner;

public class JDBCDemo8 {
    public static void main(String[] args) {
        Scanner sc= new Scanner(System.in);
        System.out.println("请输入用户名和密码：");
        String username = sc.nextLine();
        String password = sc.nextLine();
        /*
        SELECT id,username,password,nickname,age
        FROM userinfo
        WHERE username='' AND password='';
         */
        try (Connection conn=DBUtil.getConnection())
        {
            String s="SELECT id,username,password,nickname,age\n" +
                    "        FROM userinfo\n" +
                    "        WHERE username=? AND password=?;";
            PreparedStatement ps = conn.prepareStatement(s);//先将SQL发送给数据库定死语义
            //为两个?设置对应的的值
            ps.setString(1,username);
            ps.setString(2,password);
            ResultSet r=ps.executeQuery();
            if (r.next()){
                System.out.println("用户登录成功！");
            }else{
                System.out.println("用户登录失败！");
            }
        } catch (SQLException e) {
            throw new RuntimeException(e);
        }
    }
}
